Hosting Provided By

Opera/Konqueror: data: URL scheme address bar spoofing

From: Robert Swiecki <jagger(at)swiecki.net>
Date: Fri Jul 13 2007 - 19:50:49 EDT

With a specially crafted web page, an attacker can redirect a www browser to the page, which URL (in the url bar) resembles an arbitrary domain choosen by the attacker.

It's possible due to the fact, that some web browsers incorrectly display contents of the url bar while rendering pages based on the 'data:' URL scheme (RFC 2397). Only the ending of the URL is displayed. Padding the URL with whitespaces allows an attacker to insert an arbitrary content into the browser url bar.

http://alt.swiecki.net/oper1.html

Tested with:

Opera 9.21 on Win 2003SE and Win XPSP2
Opera 9.21 on Linux
Konqueror 3.5.7 on Linux

Pictures taken on my systems (using 1024x768 dekstop resolution)

http://alt.swiecki.net/operalin.pnghttp://alt.swiecki.net/operawin.pnghttp://alt.swiecki.net/konq.png

Successfull attack depends on the proper construction of the 'data:' URL. An algorithm could utilize JS document.body.clientWidth/Height properties to calculate the best url padding for the given browser.

PS. Sometimes Opera web browser displays the beggining of the 'data:' URL (correct behaviour), e.g. during browser startup with immediate redirect to the last visited page.

-- 
Robert Swiecki

Received on Sat Jul 14 12:59:27 2007

This message: [ Message body ]
Next message: Aditya K Sood: "WhitePapers By SecNiche Security"
Previous message: Michal Zalewski: "MSIE7 entrapment again (+ FF tidbit)"
Next in thread: Harri Porten: "Re: Opera/Konqueror: data: URL scheme address bar spoofing"
Maybe reply: Harri Porten: "Re: Opera/Konqueror: data: URL scheme address bar spoofing"
Maybe reply: lockoom(at)gmail.com: "Re: Opera/Konqueror: data: URL scheme address bar spoofing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Aug 09 2007 - 17:55:53 EDT

Do you need help?